Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)

["Kaz Kobara" <kobara_conf@m.aist.go.jp>]

> between gateways, people abuse
> PSK authentication by using it with short passwords.

I agree, but what I wanted to say was
this is also true (and even worse) "between clients and gateways".

> -----Original Message-----
> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
> Sent: Saturday, March 27, 2010 11:06 PM
> To: Kaz Kobara
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
> 
> Hi Kaz,
> 
> the deployment experience has been that between gateways, people abuse
> PSK authentication by using it with short passwords. Even though in
> principle they could do better.
> 
> Thanks,
> 	Yaron
> 
> On 26.3.2010 19:53, Kaz Kobara wrote:
> > Hi Yaron
> >
> > Thank you for your clarification.
> >
> >> "between gateways" as opposed to
> >> "between clients and gateways". So your assertion is correct.
> >
> > (Between gateways, administrators can set long secrets, so the necessity
> of
> > PAKE seems smaller than between clients and gateways where passwords are
> > recorded in the gateways and users have to type the passwords.)
> >
> > Anyway, if the scope is limited only on "between gateways" but not
"between
> > clients and gateways," the title
> > "Password-Based Authentication in IKEv2: Selection Criteria and
> Comparison"
> > seems misleading (since this itself misinforms that this criteria may
> be
> > applied to IKEv2 in any cases), and the above should be clearly
mentioned
> in
> > the document.
> >
> > Kaz
> >
> >> -----Original Message-----
> >> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
> >> Sent: Friday, March 26, 2010 2:14 PM
> >> To: Kaz Kobara
> >> Cc: ipsec@ietf.org
> >> Subject: Re: [IPsec] New PAKE Criteria draft posted (def. of gateway)
> >>
> >> Hi Kaz,
> >>
> >> I *thought* my intention was clear: "between gateways" as opposed to
> >> "between clients and gateways". So your assertion is correct.
> >>
> >> Thanks,
> >> 	Yaron
> >>
> >> On 26.3.2010 1:40, Kaz Kobara wrote:
> >>> Hi Yaron
> >>>
> >>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
> >>>> "This document is limited to the use of password-based authentication
> >> to
> >>>> achieve trust between gateways"
> >>>
> >>> I would like to make sure that
> >>> "gateway" in this document does not encompass VPN clients and hosts,
> > right?
> >>>
> >>> Kaz
> >>>
> >>>> -----Original Message-----
> >>>> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On
> Behalf
> >> Of
> >>>> Yaron Sheffer
> >>>> Sent: Friday, March 26, 2010 3:31 AM
> >>>> To: SeongHan Shin
> >>>> Cc: IPsecme WG; Kazukuni Kobara
> >>>> Subject: Re: [IPsec] New PAKE Criteria draft posted
> >>>>
> >>>> Hi Shin,
> >>>>
> >>>> Yes. For the typical remote access VPN, EAP is typically more useful.
> >>>> Note that there is still need for strong password-based mutual
> >>>> authentication EAP methods - but their home is the EMU working group.
> >>>>
> >>>> In addition, the IPsecME has another charter item designed to fit
such
> >>>> EAP methods (such as the future EAP-AugPAKE :-) into IKEv2.
> >>>>
> >>>> Please see again the group's charter,
> >>>> http://tools.ietf.org/wg/ipsecme/charters.
> >>>>
> >>>> Thanks,
> >>>> 	Yaron
> >>>>
> >>>> On 25.3.2010 20:07, SeongHan Shin wrote:
> >>>>> Dear Yaron Sheffer,
> >>>>>
> >>>>> I have one question about the draft.
> >>>>>
> >>>>> draft-sheffer-ipsecme-pake-criteria-02.txt says in Page 4
> >>>>> "This document is limited to the use of password-based
authentication
> >>>> to
> >>>>> achieve trust between gateways"
> >>>>>
> >>>>> Is this a consensus of this WG?
> >>>>>
> >>>>> Best regards,
> >>>>> Shin
> >>>>>
> >>>>> On Thu, Mar 25, 2010 at 3:46 PM, Yaron Sheffer<yaronf.ietf@gmail.com
> >>>>> <mailto:yaronf.ietf@gmail.com>>   wrote:
> >>>>>
> >>>>>       Hi,
> >>>>>
> >>>>>       after the good discussion in Anaheim, and with the help of
> > comments
> >>>>>       received on and off the list, I have updated the PAKE Criteria
> >> draft
> >>>>>       and posted it as
> >>>>>
> >>>> http://www.ietf.org/id/draft-sheffer-ipsecme-pake-criteria-02.txt.
> >>>>>
> >>>>>       I have added a number of criteria, clarified others, and added
> >>>>>       numbering (SEC1-SEC6, IPR1-IPR3 etc.).
> >>>>>
> >>>>>       Thanks,
> >>>>>           Yaron
> >>>>>       _______________________________________________
> >>>>>       IPsec mailing list
> >>>>>       IPsec@ietf.org<mailto:IPsec@ietf.org>
> >>>>>       https://www.ietf.org/mailman/listinfo/ipsec
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>>
> ------------------------------------------------------------------
> >>>>> SeongHan Shin
> >>>>> Research Center for Information Security (RCIS),
> >>>>> National Institute of Advanced Industrial Science and Technology
> >> (AIST),
> >>>>> Room no. 1003, Akihabara Daibiru 10F,
> >>>>> 1-18-13, Sotokannda, Chiyoda-ku, Tokyo 101-0021 Japan
> >>>>> Tel : +81-3-5298-2722
> >>>>> Fax : +81-3-5298-4522
> >>>>> E-mail : seonghan.shin@aist.go.jp<mailto:seonghan.shin@aist.go.jp>
> >>>>>
> ------------------------------------------------------------------
> >>>> _______________________________________________
> >>>> IPsec mailing list
> >>>> IPsec@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/ipsec
> >>>
> >>>
> >>> _______________________________________________
> >>> IPsec mailing list
> >>> IPsec@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/ipsec
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec